Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus controls Admin Priv Programs, AntiVirus not responding, Internet dead HELP


  • This topic is locked This topic is locked
29 replies to this topic

#1 Perplexed_student

Perplexed_student

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:04:18 AM

Posted 28 May 2013 - 11:29 AM

Hi all,

I usually try and look around before posting a plea for help on a forum because the answer is usually online somewhere already and I often can find it!

 

Unfortunately, this time nothing has worked and in the midst of exams, the last thing I need is a busted/infected Laptop!

 

First things first, my computer is a:

 

Toshiba Satellite L755-1HW

Running: Windows 7 Home premium, Service Pack 1

Intel i5-2450M CPU @ 2.50GHz processor

6GB RAM

64-bit operating system

 

I am certain that this is one virus, that causes a multitude of problems: 

  • It is blocking any program that: a) requires Administrator privileges and B) is an anti-virus program (including programs like Norton AV which already has admin privileges)!
  • I can no longer access the internet (in normal and in the various 'Safe Modes')
  • Startup programs (like Skype) provide error in opening messages (e.g. 'This application was unable to start correctly (0x0000022). Click OK to close the application')
  • The admin. privilege .exe's either a) don't respond (Norton AV) or B) provide this cheerful message: 'C:/Program Files (x86)/Malwarebyte's Anti-Malware/mbaum.exe [for e.g.] This program does not exist as an installed service.' - It is definitely installed!
  • The Laptop has also slowed down a lot just today (after I realised something was going on and tried to rectify the problem!)

Summary of recent events:

2/3 days ago I was prompted to download a large update from Symantec for Norton Internet Security (22.3.1.something, a legit update though). There was an error in the install (Antimalwarebytes stuff apparently is not compatable) (Error:8804,101) and it appeared to install fine, though the program page didn't respond, I assumed (perhaps naively) that it wasn't a problem. 

Upon doing research of the error code this morning I assumed that it was the Anti Malwarebytes (lets call it AMb for short) blocking a Norton install so I uninstalled the AMb and, having installed 'Sophos Virus remover' (to protect the computer whist I was uninstalling/re-installing etc.) I followed Symantec instructions by uninstalling Norton using Norton Power Eraser and restarting (as instructed by the program to do so). 

However, following my restart, NPE did not prompt me to install Norton internet security and I had no antivirus at all on my computer (save for Sophos which refused to open:'This program does not exist as an installed service'), I did have a manual install of Norton Int. Secur. which I found on the Symantec Forum but it, as well as the other Symantec programs I downloaded to assist me refused to open, the same error message, so I was defenseless!

 

I went on Safe Mode after that and tried fixes in this order:

  1. Kaspersky's 'tdsskiller' to search for root-kits which didn't find anything apart from file endings (which I quarantined just to be safe) - did not work, but the internet on my computer stopped working soon after that
  2. 2 failed attempts at scanning using AMb on a memory stick before the memory stick drive said that I needed to format the stick to continue using it!
  3. Full scan using 'Sophos Virus Removal Tool' - found nothing,
  4. Realised I could access admin. programs so re-installed Norton (without same problem, but it had no way to update), did a full scan, found nothing,
  5. Re-installed AMb on my computer, found nothing,
  6. Read thatthe virus could be using my internet as a proxy, but no LAN or Proxy setting changes are apparent, I finally managed to get into Network and Sharing Center, but I cannot access the internet as 'The dependency service does not exist or has been marked for deletion'(I seriously hope Kaspersky's 'tdssKiller didn't do that by removing key bits of the registry!!) I was unable to get that far in Safe Mode (with Network), and had an error message when I tried to troubleshoot: 'A problem in preventing the troubleshooter from starting. Package ID: Unknown, Path: C:/Windows/diagnostics/system/networking, Error code: 0x80070426, Context: Restricted') 
  7. Hell, I even tried RKill from this site which BSODed my computer once in normal and once in Safe mode (decided to stop there!)

I am certain there is still only one virus on my computer but my Anti-Virus is compromised! I would really love some help with this because I am at my wits-end and I need my laptop for my exams!! Many thanks in advance!


Edited by Perplexed_student, 28 May 2013 - 12:25 PM.


BC AdBot (Login to Remove)

 


#2 Broni

Broni

    The Coolest BC Computer


  • BC Advisor
  • 42,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Daly City, CA
  • Local time:08:18 PM

Posted 28 May 2013 - 01:34 PM

I'll report this topic to appropriate helpers.

Hold on there....


My Website

p4433470.gif

My help doesn't cost a penny, but if you'd like to consider a donation, click p22001735.gif


 


#3 Perplexed_student

Perplexed_student
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:04:18 AM

Posted 28 May 2013 - 02:04 PM

I'll report this topic to appropriate helpers.
Hold on there....


Thank you!

#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:18 PM

Posted 30 May 2013 - 09:42 PM

Hi Perplexed_student,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

In the upper right hand corner of the topic you will see the Follow This Topic button. Click on this then choose Receive Notification Immediately and then click Follow This Topic and you will be sent an email once I have posted a response and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 
FRST

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
    :spacer:
  • Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html


    - OR -

    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt
    :spacer:
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Edited by Orange Blossom, 30 May 2013 - 10:23 PM.
Moved to log forum. ~ OB

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 Perplexed_student

Perplexed_student
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:04:18 AM

Posted 31 May 2013 - 07:04 AM

Thanks for the reply, I hope you are awake!

 

Here is the log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 30-05-2013 01
Ran by SYSTEM on 31-05-2013 13:00:49
Running from G:\
Windows 7 Home Premium Service Pack 1 (X64) OS Language: English(US)
Internet Explorer Version 9
Boot Mode: Recovery
 
The current controlset is ControlSet001
ATTENTION!:=====> FRST is updated to run from normal or Safe mode to produce a full FRST.txt log and an extra Addition.txt log.
 
==================== Registry (Whitelisted) ==================
 
HKLM\...\Run: [Toshiba TEMPRO] C:\Program Files (x86)\Toshiba TEMPRO\TemproTray.exe [1546720 2011-02-09] (Toshiba Europe GmbH)
HKLM\...\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe [597928 2011-03-03] (TOSHIBA Corporation)
HKLM\...\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe [38304 2010-12-14] (TOSHIBA Corporation)
HKLM\...\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE [566696 2011-03-02] (TOSHIBA Corporation)
HKLM\...\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe [296824 2010-09-25] (TOSHIBA Corporation)
HKLM\...\Run: [TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe [973176 2010-12-15] (TOSHIBA Corporation)
HKLM\...\Run: [SmartAudio] C:\Program Files\CONEXANT\SAII\SAIICpl.exe /t [316032 2010-12-14] (Conexant systems, Inc.)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [2679592 2011-02-03] (Synaptics Incorporated)
HKLM\...\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r [1520552 2011-03-02] (TOSHIBA Corporation)
HKLM\...\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe [710040 2010-12-08] (TOSHIBA Corporation)
HKLM\...\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe [712096 2011-07-01] (TOSHIBA Corporation)
HKLM\...\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe [24376 2009-11-11] (TOSHIBA Corporation)
HKLM\...\Run: [Toshiba Registration] C:\Program Files\TOSHIBA\Registration\ToshibaReminder.exe [150992 2011-08-03] (Toshiba Europe GmbH)
HKLM\...\Run: [Eraser] "C:\PROGRA~1\Eraser\Eraser.exe" --atRestart [980920 2012-05-21] (The Eraser Project)
HKLM-x32\...\Runonce: [9EF927D9-CA2F-4329-9A7D-168AD1E06525] cmd.exe /C start /D "C:\Users\Rupert\AppData\Local\Temp" /B 9EF927D9-CA2F-4329-9A7D-168AD1E06525.exe -postboot [x]
HKLM-x32\...\Runonce: [3A30AADF-CF81-44CE-8FF2-4F6E631B3E84] cmd.exe /C start /D "C:\Users\Rupert\AppData\Local\Temp" /B 3A30AADF-CF81-44CE-8FF2-4F6E631B3E84.exe -activeimages -postboot [x]
HKLM-x32\...\Runonce: [0A8A53A5-716C-4096-9616-F5D377FFDFE6] cmd.exe /C start /D "C:\Users\Rupert\AppData\Local\Temp" /B 0A8A53A5-716C-4096-9616-F5D377FFDFE6.exe -postboot [x]
HKLM-x32\...\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent [532040 2013-04-04] (Malwarebytes Corporation)
HKLM-x32\...\Runonce: [AF343A8D-8010-488B-AF84-FDC6CF3519EE] cmd.exe /C start /D "C:\Users\Rupert\AppData\Local\Temp" /B AF343A8D-8010-488B-AF84-FDC6CF3519EE.exe -activeimages -postboot [x]
HKLM-x32\...\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [958576 2013-04-04] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [NBAgent] "c:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart [1409424 2011-06-29] (Nero AG)
HKLM-x32\...\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START [83336 2009-07-22] (TOSHIBA CORPORATION)
HKLM-x32\...\Run: [TSleepSrv] %ProgramFiles(x86)%\TOSHIBA\TOSHIBA Sleep Utility\TSleepSrv.exe [x]
HKLM-x32\...\Run: [ToshibaServiceStation] "C:\Program Files (x86)\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe" /hide:60 [1294712 2010-11-29] (TOSHIBA Corporation)
HKLM-x32\...\Run: [AVG_TRAY] "C:\Program Files (x86)\AVG\AVG2012\avgtray.exe" [x]
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59720 2013-01-28] (Apple Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49208 2010-06-09] (Hewlett-Packard)
HKLM-x32\...\Run: []  [x]
HKLM-x32\...\Run: [TBSafeCenter] C:\Program Files (x86)\TaoBao\TBSafeCenter\TBSafeCenter.exe -autorun [1845128 2012-12-06] (??(??)??????)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [152392 2013-02-20] (Apple Inc.)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [253816 2013-03-11] (Oracle Corporation)
HKU\Default\...\Run: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe /STAR [846936 2011-05-15] (TOSHIBA)
HKU\Default User\...\Run: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe /STAR [846936 2011-05-15] (TOSHIBA)
HKU\Rupert\...\Run: [TOPI.EXE] C:\Program Files (x86)\TOSHIBA\TOSHIBA Online Product Information\topi.exe /STAR [846936 2011-05-15] (TOSHIBA)
HKU\Rupert\...\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [39408 2011-08-03] (Google Inc.)
HKU\Rupert\...\Run: [DAEMON Tools Lite] "C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe" -autorun [3481408 2012-02-13] (DT Soft Ltd)
HKU\Rupert\...\Run: [SandboxieControl] "C:\Program Files\Sandboxie\SbieCtrl.exe" [765200 2012-08-25] (SANDBOXIE L.T.D)
HKU\Rupert\...\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot [x]
HKU\Rupert\...\Run: [RESTART_STICKY_NOTES] C:\Windows\System32\StikyNot.exe [427520 2009-07-13] (Microsoft Corporation)
Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk
ShortcutTarget: TRDCReminder.lnk -> C:\Program Files (x86)\TOSHIBA\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe)
Startup: C:\Users\Rupert\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
ShortcutTarget: BBC iPlayer Desktop.lnk -> C:\Program Files (x86)\BBC iPlayer Desktop\BBC iPlayer Desktop.exe (No File)
 
==================== Services (Whitelisted) =================
 
S2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\20.3.1.22\diMaster.dll [554288 2013-03-29] (Symantec Corporation)
S2 PnkBstrA; C:\Windows\SysWow64\PnkBstrA.exe [75136 2012-03-28] ()
S2 SbieSvc; C:\Program Files\Sandboxie\SbieSvc.exe [123664 2012-08-25] (SANDBOXIE L.T.D)
S3 TemproMonitoringService; C:\Program Files (x86)\Toshiba TEMPRO\TemproSvc.exe [112080 2011-02-09] (Toshiba Europe GmbH)
 
==================== Drivers (Whitelisted) ====================
 
S1 BHDrvx64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\BASHDefs\20130107.001\BHDrvx64.sys [1384608 2012-11-19] (Symantec Corporation)
S1 dtsoftbus01; C:\Windows\System32\DRIVERS\dtsoftbus01.sys [283200 2012-03-20] (DT Soft Ltd)
S1 eeCtrl; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\eeCtrl64.sys [484512 2013-01-31] (Symantec Corporation)
S3 EraserUtilRebootDrv; C:\Program Files (x86)\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [138912 2013-01-31] (Symantec Corporation)
S1 IDSVia64; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\IPSDefs\20130113.001\IDSVia64.sys [513184 2012-11-15] (Symantec Corporation)
S3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130131.020\ENG64.SYS [126192 2013-01-31] (Symantec Corporation)
S3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.3.1.22\Definitions\VirusDefs\20130131.020\EX64.SYS [2087664 2013-01-31] (Symantec Corporation)
S2 ProtectorA; C:\Windows\system32\drivers\ProtectorA.sys [22672 2012-01-11] (www.ISRA.org.cn)
S3 SbieDrv; C:\Program Files\Sandboxie\SbieDrv.sys [202632 2012-08-25] (SANDBOXIE L.T.D)
S3 SymEvent; C:\Windows\system32\Drivers\SYMEVENT64x86.SYS [177312 2013-05-28] (Symantec Corporation)
S1 ccSet_NIS; \SystemRoot\system32\drivers\NISx64\1403010.016\ccSetx64.sys [x]
S3 SRTSP; \SystemRoot\system32\drivers\NISx64\1403010.016\SRTSP64.SYS [x]
S1 SRTSPX; \SystemRoot\system32\drivers\NISx64\1403010.016\SRTSPX64.SYS [x]
S0 SymDS; system32\drivers\NISx64\1403010.016\SYMDS64.SYS [x]
S0 SymEFA; system32\drivers\NISx64\1403010.016\SYMEFA64.SYS [x]
S1 SymIRON; \SystemRoot\system32\drivers\NISx64\1403010.016\Ironx64.SYS [x]
S1 SymNetS; \SystemRoot\system32\drivers\NISx64\1403010.016\SYMNETS.SYS [x]
S3 Tosrfcom; No ImagePath
 
==================== NetSvcs (Whitelisted) ===================
 
 
==================== One Month Created Files and Folders ========
 
2013-05-31 13:00 - 2013-05-31 13:00 - 00000000 ____D C:\FRST
2013-05-30 08:15 - 2013-05-30 08:16 - 127690902 ____A C:\Users\Rupert\Downloads\[Scores] Documents.rar
2013-05-30 08:09 - 2013-05-30 08:10 - 155739489 ____A C:\Users\Rupert\Downloads\[320] HP2 Music Game Rip.rar
2013-05-28 06:35 - 2013-05-28 06:35 - 00001116 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-28 06:35 - 2013-05-28 06:35 - 00001116 ____A C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-28 06:35 - 2013-05-28 06:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-28 06:35 - 2013-04-04 05:50 - 00025928 ____A (Malwarebytes Corporation) C:\Windows\System32\Drivers\mbam.sys
2013-05-28 06:22 - 2013-05-28 06:31 - 00000000 ____D C:\Windows\Minidump
2013-05-28 06:13 - 2013-05-31 03:41 - 00000338 ____A C:\TMachInfo.log
2013-05-28 05:37 - 2013-05-28 05:37 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2013-05-28 05:37 - 2013-05-28 05:37 - 00007466 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2013-05-28 05:37 - 2013-05-28 05:37 - 00002580 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk
2013-05-28 05:37 - 2013-05-28 05:37 - 00002580 ____A C:\ProgramData\Desktop\Norton Internet Security.lnk
2013-05-28 05:37 - 2013-05-28 05:37 - 00000000 ____D C:\Program Files\Symantec
2013-05-28 05:37 - 2013-05-28 05:37 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-05-28 05:35 - 2013-05-28 05:35 - 00000000 ____D C:\Windows\System32\Drivers\NISx64
2013-05-28 05:35 - 2013-05-28 05:35 - 00000000 ____D C:\Program Files (x86)\Norton Internet Security
2013-05-28 04:37 - 2013-05-28 08:30 - 00000000 ____D C:\Users\Rupert\AppData\Local\CrashDumps
2013-05-28 02:19 - 2013-05-28 06:09 - 00000000 ____D C:\Users\Rupert\AppData\Local\NPE
2013-05-28 02:12 - 2013-05-28 02:12 - 00000000 ____D C:\ProgramData\PCSettings
2013-05-28 01:57 - 2013-05-28 05:27 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-05-28 01:52 - 2013-05-28 01:52 - 00003211 ____A C:\Users\Rupert\Desktop\Sophos Virus Removal Tool.lnk
2013-05-28 01:52 - 2013-05-28 01:52 - 00000000 ____D C:\ProgramData\Sophos
2013-05-28 01:52 - 2013-05-28 01:52 - 00000000 ____D C:\Program Files (x86)\Sophos
2013-05-25 17:42 - 2013-05-25 17:42 - 00000000 ____D C:\Users\Public\Downloads\Norton
2013-05-25 02:15 - 2013-04-04 22:52 - 02242048 ____A (Microsoft Corporation) C:\Windows\System32\wininet.dll
2013-05-25 02:15 - 2013-04-04 22:52 - 01365504 ____A (Microsoft Corporation) C:\Windows\System32\urlmon.dll
2013-05-25 02:15 - 2013-04-04 22:52 - 00051712 ____A (Microsoft Corporation) C:\Windows\System32\ie4uinit.exe
2013-05-25 02:15 - 2013-04-04 22:50 - 19231232 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 15404032 ____A (Microsoft Corporation) C:\Windows\System32\ieframe.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 03958784 ____A (Microsoft Corporation) C:\Windows\System32\jscript9.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 02647552 ____A (Microsoft Corporation) C:\Windows\System32\iertutil.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 00855552 ____A (Microsoft Corporation) C:\Windows\System32\jscript.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 00603136 ____A (Microsoft Corporation) C:\Windows\System32\msfeeds.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 00526336 ____A (Microsoft Corporation) C:\Windows\System32\ieui.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 00136704 ____A (Microsoft Corporation) C:\Windows\System32\iesysprep.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 00067072 ____A (Microsoft Corporation) C:\Windows\System32\iesetup.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 00053248 ____A (Microsoft Corporation) C:\Windows\System32\jsproxy.dll
2013-05-25 02:15 - 2013-04-04 22:50 - 00039936 ____A (Microsoft Corporation) C:\Windows\System32\iernonce.dll
2013-05-25 02:15 - 2013-04-04 21:28 - 01767424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wininet.dll
2013-05-25 02:15 - 2013-04-04 21:28 - 01130496 ____A (Microsoft Corporation) C:\Windows\SysWOW64\urlmon.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 14323712 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 13760512 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieframe.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 02877440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript9.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 02046976 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iertutil.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 00690688 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jscript.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 00493056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeeds.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 00391168 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieui.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 00109056 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesysprep.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 00061440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iesetup.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 00039424 ____A (Microsoft Corporation) C:\Windows\SysWOW64\jsproxy.dll
2013-05-25 02:15 - 2013-04-04 21:26 - 00033280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iernonce.dll
2013-05-25 02:15 - 2013-04-04 20:43 - 02706432 ____A (Microsoft Corporation) C:\Windows\System32\mshtml.tlb
2013-05-25 02:15 - 2013-04-04 20:29 - 02706432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtml.tlb
2013-05-25 02:15 - 2013-04-04 19:51 - 00089600 ____A (Microsoft Corporation) C:\Windows\System32\RegisterIEPKEYs.exe
2013-05-25 02:15 - 2013-04-04 19:38 - 00071680 ____A (Microsoft Corporation) C:\Windows\SysWOW64\RegisterIEPKEYs.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 01509376 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-24 17:56 - 2013-05-24 17:56 - 01441280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-05-24 17:56 - 2013-05-24 17:56 - 01400416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2013-05-24 17:56 - 2013-05-24 17:56 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-05-24 17:56 - 2013-05-24 17:56 - 01054720 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00905728 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00762368 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00719360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00629248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00599552 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00523264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00452096 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2013-05-24 17:56 - 2013-05-24 17:56 - 00361984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2013-05-24 17:56 - 2013-05-24 17:56 - 00357888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00281600 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00270848 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00247296 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00242200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00235008 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00232960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00226816 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00226304 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00216064 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00204800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00185344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00173568 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00167424 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00158720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00144896 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00138752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00137216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00136192 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00135680 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00125440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00117248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00092160 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00082432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00081408 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00079872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-05-24 17:56 - 2013-05-24 17:56 - 00073728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00069120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00062976 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00061952 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2013-05-24 17:56 - 2013-05-24 17:56 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00051200 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00038400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00027648 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00023040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00013824 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2013-05-18 08:06 - 2013-05-28 02:20 - 00000000 ____D C:\Users\Rupert\Desktop\Comparative Politics
2013-05-17 17:13 - 2013-05-17 17:13 - 00000000 ____D C:\Program Files (x86)\Monkey's Audio
2013-05-17 17:13 - 2013-01-19 15:55 - 00429056 ____A (Matthew T. Ashland) C:\Windows\SysWOW64\MACDll.dll
2013-05-17 10:06 - 2013-05-17 10:06 - 00001249 ____A C:\Users\Public\Desktop\Medieval CUE Splitter.lnk
2013-05-17 10:06 - 2013-05-17 10:06 - 00001249 ____A C:\ProgramData\Desktop\Medieval CUE Splitter.lnk
2013-05-17 10:06 - 2013-05-17 10:06 - 00000000 ____D C:\Program Files (x86)\Medieval Software
2013-05-17 10:00 - 2013-05-17 10:00 - 00002163 ____A C:\Users\Public\Desktop\Free Video Dub.lnk
2013-05-17 10:00 - 2013-05-17 10:00 - 00002163 ____A C:\ProgramData\Desktop\Free Video Dub.lnk
2013-05-17 09:59 - 2013-05-17 10:00 - 00000000 ____D C:\Program Files (x86)\DVDVideoSoft
2013-05-17 09:59 - 2013-05-17 09:59 - 00002235 ____A C:\Users\Public\Desktop\Free Audio Converter.lnk
2013-05-17 09:59 - 2013-05-17 09:59 - 00002235 ____A C:\ProgramData\Desktop\Free Audio Converter.lnk
2013-05-17 02:34 - 2013-05-26 16:37 - 00000000 ____D C:\Users\Rupert\Desktop\Political Concepts
2013-05-14 10:39 - 2013-04-09 22:01 - 00983400 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgkrnl.sys
2013-05-14 10:39 - 2013-04-09 22:01 - 00265064 ____A (Microsoft Corporation) C:\Windows\System32\Drivers\dxgmms1.sys
2013-05-14 10:39 - 2013-02-26 22:02 - 00111448 ____A (Microsoft Corporation) C:\Windows\System32\consent.exe
2013-05-14 10:39 - 2013-02-26 21:52 - 14172672 ____A (Microsoft Corporation) C:\Windows\System32\shell32.dll
2013-05-14 10:39 - 2013-02-26 21:52 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\shdocvw.dll
2013-05-14 10:39 - 2013-02-26 21:48 - 01930752 ____A (Microsoft Corporation) C:\Windows\System32\authui.dll
2013-05-14 10:39 - 2013-02-26 20:55 - 12872704 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shell32.dll
2013-05-14 10:39 - 2013-02-26 20:55 - 00180224 ____A (Microsoft Corporation) C:\Windows\SysWOW64\shdocvw.dll
2013-05-14 10:39 - 2013-02-26 20:49 - 01796096 ____A (Microsoft Corporation) C:\Windows\SysWOW64\authui.dll
2013-05-14 10:39 - 2011-02-03 03:25 - 00144384 ____A (Microsoft Corporation) C:\Windows\System32\cdd.dll
2013-05-14 10:38 - 2013-04-09 19:30 - 03153920 ____A (Microsoft Corporation) C:\Windows\System32\win32k.sys
2013-05-14 10:38 - 2013-03-18 21:53 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\wwanprotdim.dll
2013-05-12 06:43 - 2013-05-12 06:43 - 00263584 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-05-12 06:43 - 2013-05-12 06:43 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-05-12 06:43 - 2013-05-12 06:43 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-05-12 06:43 - 2013-05-12 06:43 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-05-02 17:03 - 2013-05-02 17:03 - 00001798 ____A C:\Users\Rupert\Desktop\Lectures.txt
 
==================== One Month Modified Files and Folders =======
 
2013-05-31 13:00 - 2013-05-31 13:00 - 00000000 ____D C:\FRST
2013-05-31 03:48 - 2009-07-13 20:45 - 00025120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2013-05-31 03:48 - 2009-07-13 20:45 - 00025120 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2013-05-31 03:44 - 2009-07-13 21:13 - 00005366 ____A C:\Windows\System32\PerfStringBackup.INI
2013-05-31 03:43 - 2012-01-10 10:01 - 02007153 ____A C:\Windows\WindowsUpdate.log
2013-05-31 03:41 - 2013-05-28 06:13 - 00000338 ____A C:\TMachInfo.log
2013-05-31 03:39 - 2009-07-13 21:08 - 00032544 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2013-05-31 03:39 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2013-05-30 10:26 - 2012-03-11 11:46 - 00000000 ____D C:\Users\Rupert\AppData\Roaming\vlc
2013-05-30 08:16 - 2013-05-30 08:15 - 127690902 ____A C:\Users\Rupert\Downloads\[Scores] Documents.rar
2013-05-30 08:10 - 2013-05-30 08:09 - 155739489 ____A C:\Users\Rupert\Downloads\[320] HP2 Music Game Rip.rar
2013-05-28 08:30 - 2013-05-28 04:37 - 00000000 ____D C:\Users\Rupert\AppData\Local\CrashDumps
2013-05-28 06:35 - 2013-05-28 06:35 - 00001116 ____A C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-28 06:35 - 2013-05-28 06:35 - 00001116 ____A C:\ProgramData\Desktop\Malwarebytes Anti-Malware.lnk
2013-05-28 06:35 - 2013-05-28 06:35 - 00000000 ____D C:\Program Files (x86)\Malwarebytes' Anti-Malware
2013-05-28 06:31 - 2013-05-28 06:22 - 00000000 ____D C:\Windows\Minidump
2013-05-28 06:31 - 2013-04-09 23:29 - 00271587 ____N C:\Windows\Minidump\052813-53087-01.dmp
2013-05-28 06:21 - 2013-04-09 23:29 - 00271587 ____N C:\Windows\Minidump\052813-43836-01.dmp
2013-05-28 06:09 - 2013-05-28 02:19 - 00000000 ____D C:\Users\Rupert\AppData\Local\NPE
2013-05-28 05:37 - 2013-05-28 05:37 - 00177312 ____A (Symantec Corporation) C:\Windows\System32\Drivers\SYMEVENT64x86.SYS
2013-05-28 05:37 - 2013-05-28 05:37 - 00007466 ____A C:\Windows\System32\Drivers\SYMEVENT64x86.CAT
2013-05-28 05:37 - 2013-05-28 05:37 - 00002580 ____A C:\Users\Public\Desktop\Norton Internet Security.lnk
2013-05-28 05:37 - 2013-05-28 05:37 - 00002580 ____A C:\ProgramData\Desktop\Norton Internet Security.lnk
2013-05-28 05:37 - 2013-05-28 05:37 - 00000000 ____D C:\Program Files\Symantec
2013-05-28 05:37 - 2013-05-28 05:37 - 00000000 ____D C:\Program Files\Common Files\Symantec Shared
2013-05-28 05:35 - 2013-05-28 05:35 - 00000000 ____D C:\Windows\System32\Drivers\NISx64
2013-05-28 05:35 - 2013-05-28 05:35 - 00000000 ____D C:\Program Files (x86)\Norton Internet Security
2013-05-28 05:35 - 2012-08-24 04:18 - 00000000 ____D C:\ProgramData\Norton
2013-05-28 05:27 - 2013-05-28 01:57 - 00000000 ____D C:\TDSSKiller_Quarantine
2013-05-28 04:36 - 2012-06-29 10:30 - 00000000 ____D C:\Users\Rupert\AppData\Roaming\Malwarebytes
2013-05-28 02:35 - 2012-08-04 19:57 - 00000830 ____A C:\Windows\Tasks\Adobe Flash Player Updater.job
2013-05-28 02:31 - 2011-08-03 02:00 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2013-05-28 02:31 - 2009-07-13 20:51 - 00107197 ____A C:\Windows\setupact.log
2013-05-28 02:30 - 2011-08-03 02:00 - 00000912 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2013-05-28 02:21 - 2010-11-20 19:47 - 02233406 ____A C:\Windows\PFRO.log
2013-05-28 02:20 - 2013-05-18 08:06 - 00000000 ____D C:\Users\Rupert\Desktop\Comparative Politics
2013-05-28 02:12 - 2013-05-28 02:12 - 00000000 ____D C:\ProgramData\PCSettings
2013-05-28 01:52 - 2013-05-28 01:52 - 00003211 ____A C:\Users\Rupert\Desktop\Sophos Virus Removal Tool.lnk
2013-05-28 01:52 - 2013-05-28 01:52 - 00000000 ____D C:\ProgramData\Sophos
2013-05-28 01:52 - 2013-05-28 01:52 - 00000000 ____D C:\Program Files (x86)\Sophos
2013-05-28 01:27 - 2012-03-14 09:18 - 00000000 ____D C:\Users\Rupert\AppData\Roaming\DMCache
2013-05-28 01:21 - 2012-08-08 21:49 - 00000000 ____D C:\Users\Rupert\AppData\Roaming\IDM
2013-05-27 09:14 - 2013-01-23 13:41 - 00000000 ____D C:\Users\Rupert\AppData\Roaming\Mp3tag
2013-05-26 16:37 - 2013-05-17 02:34 - 00000000 ____D C:\Users\Rupert\Desktop\Political Concepts
2013-05-25 17:57 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\NDF
2013-05-25 17:42 - 2013-05-25 17:42 - 00000000 ____D C:\Users\Public\Downloads\Norton
2013-05-25 02:20 - 2012-03-11 11:51 - 00000000 ____D C:\Program Files (x86)\JDownloader
2013-05-25 02:05 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2013-05-24 17:58 - 2013-03-14 17:51 - 00019734 ____A C:\Windows\IE10_main.log
2013-05-24 17:56 - 2013-05-24 17:56 - 01509376 ____A (Microsoft Corporation) C:\Windows\System32\inetcpl.cpl
2013-05-24 17:56 - 2013-05-24 17:56 - 01441280 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inetcpl.cpl
2013-05-24 17:56 - 2013-05-24 17:56 - 01400416 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dat
2013-05-24 17:56 - 2013-05-24 17:56 - 01400416 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dat
2013-05-24 17:56 - 2013-05-24 17:56 - 01054720 ____A (Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00905728 ____A (Microsoft Corporation) C:\Windows\System32\mshtmlmedia.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00762368 ____A (Microsoft Corporation) C:\Windows\System32\ieapfltr.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00719360 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmlmedia.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00629248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieapfltr.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00599552 ____A (Microsoft Corporation) C:\Windows\System32\vbscript.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00523264 ____A (Microsoft Corporation) C:\Windows\SysWOW64\vbscript.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00452096 ____A (Microsoft Corporation) C:\Windows\System32\dxtmsft.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00441856 ____A (Microsoft Corporation) C:\Windows\System32\html.iec
2013-05-24 17:56 - 2013-05-24 17:56 - 00361984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\html.iec
2013-05-24 17:56 - 2013-05-24 17:56 - 00357888 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtmsft.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00281600 ____A (Microsoft Corporation) C:\Windows\System32\dxtrans.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00270848 ____A (Microsoft Corporation) C:\Windows\System32\iedkcs32.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00247296 ____A (Microsoft Corporation) C:\Windows\System32\webcheck.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00242200 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iedkcs32.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00235008 ____A (Microsoft Corporation) C:\Windows\System32\url.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00232960 ____A (Microsoft Corporation) C:\Windows\SysWOW64\url.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00226816 ____A (Microsoft Corporation) C:\Windows\SysWOW64\dxtrans.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00226304 ____A (Microsoft Corporation) C:\Windows\System32\elshyph.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00216064 ____A (Microsoft Corporation) C:\Windows\System32\msls31.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00204800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\webcheck.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00197120 ____A (Microsoft Corporation) C:\Windows\System32\msrating.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00185344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\elshyph.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00173568 ____A (Microsoft Corporation) C:\Windows\System32\ieUnatt.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00167424 ____A (Microsoft Corporation) C:\Windows\System32\iexpress.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00163840 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msrating.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00158720 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msls31.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00150528 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iexpress.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00149504 ____A (Microsoft Corporation) C:\Windows\System32\occache.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00144896 ____A (Microsoft Corporation) C:\Windows\System32\wextract.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00138752 ____A (Microsoft Corporation) C:\Windows\SysWOW64\wextract.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00137216 ____A (Microsoft Corporation) C:\Windows\SysWOW64\ieUnatt.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00136192 ____A (Microsoft Corporation) C:\Windows\System32\iepeers.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00135680 ____A (Microsoft Corporation) C:\Windows\System32\IEAdvpack.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00125440 ____A (Microsoft Corporation) C:\Windows\SysWOW64\occache.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00117248 ____A (Microsoft Corporation) C:\Windows\SysWOW64\iepeers.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00110592 ____A (Microsoft Corporation) C:\Windows\SysWOW64\IEAdvpack.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00102912 ____A (Microsoft Corporation) C:\Windows\System32\inseng.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00097280 ____A (Microsoft Corporation) C:\Windows\System32\mshtmled.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00092160 ____A (Microsoft Corporation) C:\Windows\System32\SetIEInstalledDate.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00082432 ____A (Microsoft Corporation) C:\Windows\SysWOW64\inseng.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00081408 ____A (Microsoft Corporation) C:\Windows\System32\icardie.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00079872 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmled.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00077312 ____A (Microsoft Corporation) C:\Windows\System32\tdc.ocx
2013-05-24 17:56 - 2013-05-24 17:56 - 00073728 ____A (Microsoft Corporation) C:\Windows\SysWOW64\SetIEInstalledDate.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00069120 ____A (Microsoft Corporation) C:\Windows\SysWOW64\icardie.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00062976 ____A (Microsoft Corporation) C:\Windows\System32\pngfilt.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00061952 ____A (Microsoft Corporation) C:\Windows\SysWOW64\tdc.ocx
2013-05-24 17:56 - 2013-05-24 17:56 - 00057344 ____A (Microsoft Corporation) C:\Windows\SysWOW64\pngfilt.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00052224 ____A (Microsoft Corporation) C:\Windows\System32\msfeedsbs.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00051200 ____A (Microsoft Corporation) C:\Windows\System32\imgutil.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00048640 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshtmler.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00048640 ____A (Microsoft Corporation) C:\Windows\System32\mshtmler.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00041984 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedsbs.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00038400 ____A (Microsoft Corporation) C:\Windows\SysWOW64\imgutil.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00027648 ____A (Microsoft Corporation) C:\Windows\System32\licmgr10.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00023040 ____A (Microsoft Corporation) C:\Windows\SysWOW64\licmgr10.dll
2013-05-24 17:56 - 2013-05-24 17:56 - 00013824 ____A (Microsoft Corporation) C:\Windows\System32\mshta.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00012800 ____A (Microsoft Corporation) C:\Windows\SysWOW64\mshta.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00012800 ____A (Microsoft Corporation) C:\Windows\System32\msfeedssync.exe
2013-05-24 17:56 - 2013-05-24 17:56 - 00011776 ____A (Microsoft Corporation) C:\Windows\SysWOW64\msfeedssync.exe
2013-05-24 04:32 - 2013-04-19 00:51 - 00002190 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2013-05-24 04:32 - 2013-04-19 00:51 - 00002190 ____A C:\ProgramData\Desktop\Google Chrome.lnk
2013-05-23 10:26 - 2012-04-23 23:40 - 00002026 ____A C:\Users\Public\Desktop\Adobe Reader X.lnk
2013-05-23 10:26 - 2012-04-23 23:40 - 00002026 ____A C:\ProgramData\Desktop\Adobe Reader X.lnk
2013-05-17 17:13 - 2013-05-17 17:13 - 00000000 ____D C:\Program Files (x86)\Monkey's Audio
2013-05-17 10:06 - 2013-05-17 10:06 - 00001249 ____A C:\Users\Public\Desktop\Medieval CUE Splitter.lnk
2013-05-17 10:06 - 2013-05-17 10:06 - 00001249 ____A C:\ProgramData\Desktop\Medieval CUE Splitter.lnk
2013-05-17 10:06 - 2013-05-17 10:06 - 00000000 ____D C:\Program Files (x86)\Medieval Software
2013-05-17 10:00 - 2013-05-17 10:00 - 00002163 ____A C:\Users\Public\Desktop\Free Video Dub.lnk
2013-05-17 10:00 - 2013-05-17 10:00 - 00002163 ____A C:\ProgramData\Desktop\Free Video Dub.lnk
2013-05-17 10:00 - 2013-05-17 09:59 - 00000000 ____D C:\Program Files (x86)\DVDVideoSoft
2013-05-17 10:00 - 2012-03-11 11:50 - 00000000 ____D C:\Users\Rupert\AppData\Roaming\DVDVideoSoft
2013-05-17 09:59 - 2013-05-17 09:59 - 00002235 ____A C:\Users\Public\Desktop\Free Audio Converter.lnk
2013-05-17 09:59 - 2013-05-17 09:59 - 00002235 ____A C:\ProgramData\Desktop\Free Audio Converter.lnk
2013-05-17 09:47 - 2012-04-01 04:21 - 00000000 ____D C:\Users\Rupert\Documents\DVDVideoSoft
2013-05-17 02:42 - 2012-03-18 04:23 - 00000000 ____D C:\Users\Rupert\AppData\Roaming\Skype
2013-05-16 04:07 - 2012-10-03 08:26 - 00000000 ____D C:\Users\Rupert\AppData\Local\HP
2013-05-16 02:17 - 2009-07-13 20:45 - 00398744 ____A C:\Windows\System32\FNTCACHE.DAT
2013-05-15 00:46 - 2012-03-31 08:23 - 75016696 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2013-05-12 14:05 - 2012-10-04 09:32 - 00001654 ____A C:\Windows\Tasks\hpwebreg_xxxxxxxxxx.job
2013-05-12 13:54 - 2012-10-11 07:56 - 00001614 ____A C:\Windows\Tasks\hpwebreg_CN26I1DJZQ05QT.job
2013-05-12 06:43 - 2013-05-12 06:43 - 00263584 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaws.exe
2013-05-12 06:43 - 2013-05-12 06:43 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\javaw.exe
2013-05-12 06:43 - 2013-05-12 06:43 - 00174496 ____A (Oracle Corporation) C:\Windows\SysWOW64\java.exe
2013-05-12 06:43 - 2013-05-12 06:43 - 00095648 ____A (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2013-05-12 06:43 - 2013-02-22 11:01 - 00866720 ____A (Oracle Corporation) C:\Windows\SysWOW64\npDeployJava1.dll
2013-05-12 06:43 - 2011-08-03 02:11 - 00788896 ____A (Oracle Corporation) C:\Windows\SysWOW64\deployJava1.dll
2013-05-12 06:43 - 2011-08-03 02:11 - 00000000 ____D C:\Program Files (x86)\Java
2013-05-12 06:42 - 2011-08-03 01:50 - 00000000 ____D C:\ProgramData\McAfee
2013-05-02 17:03 - 2013-05-02 17:03 - 00001798 ____A C:\Users\Rupert\Desktop\Lectures.txt
2013-05-01 17:06 - 2010-11-20 19:27 - 00278800 ____N (Microsoft Corporation) C:\Windows\System32\MpSigStub.exe
 
==================== Known DLLs (Whitelisted) ================
 
 
==================== Bamital & volsnap Check =================
 
C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit
 
==================== EXE ASSOCIATION =====================
 
HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK
 
==================== Restore Points  =========================
 
 
==================== Memory info =========================== 
 
Percentage of memory in use: 12%
Total physical RAM: 6091.86 MB
Available physical RAM: 5320.78 MB
Total Pagefile: 6090.06 MB
Available Pagefile: 5311.61 MB
Total Virtual: 8192 MB
Available Virtual: 8191.85 MB
 
==================== Drives ================================
 
Drive c: (WINDOWS) (Fixed) (Total:348.61 GB) (Free:72.19 GB) NTFS (Disk=0 Partition=2)
Drive d: (Data) (Fixed) (Total:349.64 GB) (Free:52.82 GB) NTFS (Disk=0 Partition=3)
Drive e: (SYSTEM) (Fixed) (Total:0.39 GB) (Free:0.14 GB) NTFS (Disk=0 Partition=1) ==>[System with boot components (obtained from reading drive)]
Drive g: () (Removable) (Total:1.88 GB) (Free:1.88 GB) FAT (Disk=1 Partition=1)
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
 
==================== MBR & Partition Table ==================
 
========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 699 GB) (Disk ID: 36578230)
Partition 1: (Active) - (Size=399 MB) - (Type=27)
Partition 2: (Not Active) - (Size=349 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=350 GB) - (Type=07 NTFS)
 
========================================================
Disk: 1 (Size: 2 GB) (Disk ID: 6F20736B)
Partition 1: (Not Active) - (Size=544 GB) - (Type=72)
Partition 2: (Not Active) - (Size=923 GB) - (Type=65)
Partition 3: (Not Active) - (Size=923 GB) - (Type=79)
Partition 4: (Not Active) - (Size=-336763289600) - (Type=0D)
 
 
Last Boot: 2013-05-25 03:55
 
==================== End Of Log ============================


#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:18 PM

Posted 31 May 2013 - 11:57 AM

:step1: Rerun FRST
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt
 

HKLM-x32\...\Runonce: [9EF927D9-CA2F-4329-9A7D-168AD1E06525] cmd.exe /C start /D "C:\Users\Rupert\AppData\Local\Temp" /B 9EF927D9-CA2F-4329-9A7D-168AD1E06525.exe -postboot [x]
HKLM-x32\...\Runonce: [3A30AADF-CF81-44CE-8FF2-4F6E631B3E84] cmd.exe /C start /D "C:\Users\Rupert\AppData\Local\Temp" /B 3A30AADF-CF81-44CE-8FF2-4F6E631B3E84.exe -activeimages -postboot [x]
HKLM-x32\...\Runonce: [0A8A53A5-716C-4096-9616-F5D377FFDFE6] cmd.exe /C start /D "C:\Users\Rupert\AppData\Local\Temp" /B 0A8A53A5-716C-4096-9616-F5D377FFDFE6.exe -postboot [x]
HKLM-x32\...\Runonce: [AF343A8D-8010-488B-AF84-FDC6CF3519EE] cmd.exe /C start /D "C:\Users\Rupert\AppData\Local\Temp" /B AF343A8D-8010-488B-AF84-FDC6CF3519EE.exe -activeimages -postboot [x]

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system


Boot back into System Recovery Options, as we've done previously.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it in your reply.
 
 
:step2: Let's have a look at what TDSSKiller has previously removed:

  • If you can, boot into Normal mode. If you can't, try booting into Safe Mode with Networking.
  • Please download TDSS Qlook and save it to your desktop.
  • Double-click the program and run it.
  • Type the letter A and press ENTER.
  • A logfile will open (TDSSQ.txt), please copy and paste the contents of that logfile into your next reply.

 

In your next reply, please copy and paste the following:

  • Fixlog.txt
  • TDSSQ.txt
  • How's your computer running now? Please be as descriptive as possible.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 Perplexed_student

Perplexed_student
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:04:18 AM

Posted 31 May 2013 - 01:34 PM

Hello again, thanks for your help thus far!

 

I managed to get the fixlog, but I cannot access any memory stick/device on Normal or Safe mode (the computer wants to format them and always 'fails' halfway through the process. As a result I could not get TDSS Qlook to work as I couldn't access it on my computer (I also tried in 'Repair your computer' mode using command prompt (as we did before) but 'The subsystem needed to support the image type is not present'). 

 

As far as a look at the operation of the computer goes, the same problems are there: No administrator access allowed (as in above post), no internet access, no ability to internal (off-line) troubleshoot, no access to portable memory drives etc.

 

Here is the fixlog:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-05-2013 01
Ran by SYSTEM at 2013-05-31 18:24:32 Run:1
Running from G:\
Boot Mode: Recovery
==============================================
 
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\9EF927D9-CA2F-4329-9A7D-168AD1E06525 => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\3A30AADF-CF81-44CE-8FF2-4F6E631B3E84 => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\0A8A53A5-716C-4096-9616-F5D377FFDFE6 => Value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\\AF343A8D-8010-488B-AF84-FDC6CF3519EE => Value deleted successfully.
 
==== End of Fixlog ====


#8 Perplexed_student

Perplexed_student
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:04:18 AM

Posted 31 May 2013 - 02:00 PM

Can I do a backup in repair mode (using notepad to copy and paste my files to an external harddrive, which I can access only in this mode) without possibly spreading the virus onto my external hard drive? I don't have a recent backup so if anything goes wrong I'll lose a lot of data! What are your thoughts on this?

Edited by Perplexed_student, 31 May 2013 - 02:01 PM.


#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:18 PM

Posted 31 May 2013 - 02:22 PM

Can I do a backup in repair mode (using notepad to copy and paste my files to an external harddrive, which I can access only in this mode) without possibly spreading the virus onto my external hard drive? I don't have a recent backup so if anything goes wrong I'll lose a lot of data! What are your thoughts on this?

 

Yes, you could try copying the files onto your external hard drive that way. I haven't seen any indication that the virus/malware is a type that infects other files, so it's unlikely (though not impossible) it'll spread to your external hard drive.

 

I'm not seeing much active malware in the logs, we're just trying to repair the damage the malware has done.  I've got to do some more research on our next step. I'll post back shortly.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 Perplexed_student

Perplexed_student
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:04:18 AM

Posted 31 May 2013 - 02:27 PM

I could post the TDSSKiller log if you like, though it didn't clearly pick up anything I could see!

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:18 PM

Posted 31 May 2013 - 02:42 PM

It probably won't be helpful. I had thought that tdsskiller might have quarantined a legit file, but if the log didn't seem to pick up anything, you don't have to post the log.

 

 

Rerun FRST
 
Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flashdrive as fixlist.txt

CMD: sfc /scannow

 
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.
 
Boot back into System Recovery Options, as we've done previously.
Run FRST64and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 Perplexed_student

Perplexed_student
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:04:18 AM

Posted 31 May 2013 - 03:08 PM

Here is the log, for some reason it thinks there is a previous repair pending (and asks me to restart), this is the second attempt I did (the log was the same, so I did a restart after the 1st one as it asked), but the log result was the same! :

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-05-2013 01
Ran by SYSTEM at 2013-05-31 21:04:32 Run:3
Running from G:\
Boot Mode: Recovery
==============================================
 
 
=========  sfc /scannow =========
 
 
 
Beginning system scan.  This process will take some time.
 
 
 
 
There is a system repair pending which requires reboot to complete.  Restart 
 
Windows and run sfc again.
 
 
========= End of CMD: =========
 
 
==== End of Fixlog ====


#13 Perplexed_student

Perplexed_student
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:04:18 AM

Posted 31 May 2013 - 03:12 PM

Scratch that, did it again and there is a different log:

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 30-05-2013 01
Ran by SYSTEM at 2013-05-31 21:10:58 Run:4
Running from G:\
Boot Mode: Recovery
==============================================
 
 
=========  sfc / scannow =========
 
 
 
Microsoft ® Windows ® Resource Checker Version 6.0
 
Copyright © 2006 Microsoft Corporation. All rights reserved.
 
 
 
Scans the integrity of all protected system files and replaces incorrect versions with 
 
correct Microsoft versions.
 
 
 
SFC [/SCANNOW] [/VERIFYONLY] [/SCANFILE=<file>] [/VERIFYFILE=<file>]
 
    [/OFFWINDIR=<offline windows directory> /OFFBOOTDIR=<offline boot directory>]
 
 
 
/SCANNOW        Scans integrity of all protected system files and repairs files with
 
                problems when possible.
 
/VERIFYONLY     Scans integrity of all protected system files. No repair operation is
 
                performed.
 
/SCANFILE       Scans integrity of the referenced file, repairs file if problems are
 
                identified. Specify full path <file>
 
/VERIFYFILE     Verifies the integrity of the file with full path <file>.  No repair
 
                operation is performed.
 
/OFFBOOTDIR     For offline repair specify the location of the offline boot directory
 
/OFFWINDIR      For offline repair specify the location of the offline windows directory
 
 
 
e.g.
 
 
 
        sfc /SCANNOW
 
        sfc /VERIFYFILE=c:\windows\system32\kernel32.dll
 
        sfc /SCANFILE=d:\windows\system32\kernel32.dll /OFFBOOTDIR=d:\ /OFFWINDIR=d:\windows
 
        sfc /VERIFYONLY
 
 
========= End of CMD: =========
 
 
==== End of Fixlog ====


#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:11:18 PM

Posted 31 May 2013 - 03:33 PM

Please try restarting your computer (if you haven't already), and try starting your computer normally.  Are you still having the same trouble as before?


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 Perplexed_student

Perplexed_student
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:04:18 AM

Posted 31 May 2013 - 03:36 PM

I'm afraid so, all the issues stated above still persist! :-(






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users